Cicis reports data breach in payment systems

Malware in the Cicis Enterprises LP payment system may have exposed customer payment card information at more than 140 restaurants in 17 states, the company said late Tuesday.

The Coppell, Texas-based operator, with 450 units nationwide, said the malware had been removed and the payment systems secured at all restaurants this month.

“Our guests are our first priority at Cicis, and when we first learned of unusual activity in our system, we took immediate action to investigate, root out and fix the problem, and enact further safety measures,” said Darin Harris, Cicis CEO, in a statement.

“We want to reassure our guests that all malware has been removed, and we will continue to monitor and improve our systems to protect their payment card information,” Harris said.

Cicis said it began receiving reports in early March that the point-of-sale systems in several locations were not working properly. The company said the “vast majority” of compromised payment information was in March, but some cases dated back to 2015.

“The point-of-sale vendor immediately began an investigation to assess the problem and initiated heightened security measures,” the company said in a statement. “After malware was found on some point-of-sale systems, the company began a restaurant by restaurant review and remediation, and retained a third-party cyber-security firm, 403 Labs, to perform a forensic analysis.”

The company said it had notified authorities in each state where restaurants were affected.

Cicis has also established a dedicated, toll-free phone line to answer customer questions, at (877) 220-1388. Callers should use reference case number 8771062016.

The company encouraged customers who used payment cards at the affected restaurants during the period of potential exposure to monitor payment card statements so they can immediately report any unauthorized activity to their card issuer.

Cicis owns and franchises restaurants in 33 states.

Correction: July 20, 2016 An earlier version of this story misstated the number of restaurants affected by the potential data breach. It is 140 restaurants.